Saturday, March 29, 2008
Security :MacBook Air Hacked In Minutes
Mac OS X's reputation for security was tarnished Thursday when a team of researchers from Independent Security Evaluators (ISE) managed to hack a MacBook Air in two minutes using a zero-day vulnerability in Apple's Safari 3.1 Web browser.
The ISE security researchers -- Charlie Miller, Jake Honoroff, and Mark Daniel -- were participating in the "PWN to OWN" competition at the CanSecWest security conference, which began Wednesday in Vancouver, British Columbia.
"Pwn" is computer gaming slang for "own," as in conquer. The "p" typo serves to heighten the humiliation of defeat by emphasizing that the loss came at the hands of a youth who can't even spell or type correctly. The term has also come to be used in security circles.
Contest participants had their choice of trying to hack an Apple MacBook Air running OS X 10.5.2, a Sony Vaio VGN-TZ37CN running Ubuntu 7.10, or a Fujitsu U810 running Vista Ultimate SP1. During the first day, when attacks were limited to network attacks on the operating system, no one managed to compromise any of the systems.
That changed Thursday when attacks on default client-side applications -- Web browser, e-mail, IM -- were allowed. The ISE team won $10,000 from security firm TippingPoint Technologies for compromising the MacBook Air.
The undisclosed vulnerability in Safari 3.1 has been shown to Apple and no further information about it will be revealed until Apple can issue an update, TippingPoint said.
In a blog post on Friday, TippingPoint said, "[S]ince the Vista and Ubuntu laptops are still standing unscathed, we are now opening up the scope of the targets beyond just default installed applications on those laptops; any popular third-party application (as deemed 'popular' by the judges) can now be installed on the laptops for a prize of $5,000 upon a successful compromise."
MacBook Air, the easiest one of the three
That's right; Mac OS are the easiest to hack, according to Charlie Miller, analyst – ISE (Independent Security Evaluators). Charlie not only proved by hacking the MacBook running the OS X, 10.5.2 version, in less than two minutes, but also won $10k and a new laptop.
Sponsorors had put up three laptops with different operating system and each patched up with the latest updates. They were made available to any one who could hack into the system. The three day hacking contest was organized at CanSecWest conference, Mariott Renaissance, Vancouver, British Columbia. A USD 20k cash prize would have been paid for successful applicants on day one, USD 10k on day two and USD 5K on the last day.
No one was successful on the 1st day, but on the 2nd day Charlie Miller breached into the MacBook OS, in just about less than two minutes. Charlie Miller did not share the vulnerability as he was bonded by the nondisclosure agreement. Miller however pointed out a bug in Safari browser 3.1.
The co-winner of last years hacking content, Macaulay was able to breach into the vista operating system running service pack 1. It took him two days but was finally successful hacking into vista on the last day.
Overall threre were three winner, Charlie who hacked MacBook, Macaulay who breached the Vista, and linux operating system Ubuntu 7.10 installed in one of the system that remained unconquered.